Corsha lands $12M to bring MFA security to machine-to-machine API traffic

Corsha, a Washington, D.C.-based cybersecurity startup, has secured a $12 million Series A investment to bring multi-factor authentication (MFA) to machine-to-machine API traffic.

APIs, which allow two applications on the internet to talk to each other, became central to organizations’ digital transformation efforts during the pandemic. This has made APIs a prime target for malicious hackers, with Gartner predicting that APIs will make up the largest attack vector in cybercrime by this year. API vulnerabilities have recently been the cause of a number of high-profile security breaches: Peloton spilled users’ private account information; Experian exposed the financial histories of millions of Americans; and Facebook, LinkedIn and Clubhouse all had user data scraped because of poorly secured APIs.

In an effort to protect other organizations from suffering the same fate, Corsha has developed an automated MFA solution for machine-to-machine API traffic.

Typically, if an application or service wants to make an API call, it leverages a primary authentication factor like a PKI certificate or a JSON web token. Corsha toughens those requests with a one-time-use MFA credential built from the machine’s dynamic identity and checked against a cryptographically verifiable distributed ledger network. The API request is only accepted if there is a match between the MFA credential and that machine’s identity, and each API call requires a fresh, one-time-use credential, enabling zero-trust access for an organization’s API services.

“With human MFA, as soon as you get your authenticator downloaded and set up, you’re pinning access to your trusted machine. That’s what we’re doing in the API world,” Corsha co-founder and CTO Anusha Iyer told TechCrunch.

While MFA is by no means immune to hackers — threat actors have in the past been able to bypass MFA using SIM swap and man-in-the-middle (MITM) attacks — Corsha describes its patented technology as “MFA++.”

“We’re able to do this uniquely, in that there’s no central repository where we hold this secret master device where somebody could compromise us. We’ve flipped it, so the origin of the MFA happens on the machine itself. Keeping it out of sight of the attacker was key to us,” said Corsha’s co-founder and CEO Chris Simkins.

Prior to founding the startup in 2018, Simkin’s worked for the Department of Justice as part of its national security division.

The startup’s link to the U.S. government doesn’t stop there, as Corsha secured the U.S Air Force as its first customer back in 2020, which is using the technology to secure mission-critical data in motion across Air Force platforms. “Our first customer out of the block was the U.S. government, and that’s been a pretty good validator for us,” Simkins added.

The startup’s Series A investment, which was co-led by Ten Eleven Ventures and Razor’s Edge Ventures with participation from 1843 Capital, will see Corsha expand its go-to-market efforts in the enterprise. It’s also on a rapid hiring spree, Simkins tells TechCrunch, as it looks to bolster its current team of 10 employees.